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1. We intend to revise the code to address the impact of changes in data 
protection legislation, where these changes are relevant to data sharing. 
What changes to the data protection legislation do you think we should 
focus on when updating the code? 

There have been seismic changes in the data protection landscape since 2011 when 
the previous version of the data sharing code of practice was published. The 
implementation of the EU General Data Protection Regulation and the Data 
Protection Act 2018 has radically strengthened the rights of data subjects requiring 
data controllers and data protectors to more systematically provide information to 
data subjects about how data is shared, but also provide additional rights (erasure, 
portability etc). Although the code is intended to be generic, we have concerns that 
trying to cover all areas of data sharing might be too ambitious. In particular, the 
existing code includes some examples that relate to the criminal justice system. 
Given that there is now a separate EU Regulation relating to this, it might be 
sensible to have a separate code dealing with these aspects. This might enable 
some more detailed worked examples of data sharing in different sectors to be 
retained. 


2. Apart from recent changes to data protection legislation, are there other 
developments that are having an impact on your organisation’s data 
sharing practice that you would like us to address in the updated code? 
Yes 


3. Please specify 
We would like to see more emphasis on the areas which were not previously 
regulated under the old Data Protection Directive/DPA 1998. This includes the new 
powers to regulate genetic and biometric data (Article 9(1)). The revised code 
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should also cover the obligations arising from automated processing (see further 
question 10). Ideally, the revised code should also cover the strengthened 
exemptions for using data for research (Article 89). 


No 


In what ways does it fail to strike the right balance? 

In the health context, the National Data Guardian highlighted the importance of 
sharing data by introducing a data sharing principle in her 2013 review of data 
sharing. Her work has consistently highlighted the importance of data sharing to 
improve the safety and efficacy of patient care. We would like to see the revised 
code of practice reflect this obligation to share data being reflected more fully. 


What types of data sharing (eg systematic, routine sharing or exceptional, 
ad hoc requests) are covered in too much detail in the 2011 code? 


No response provided 


What types of data sharing (eg systematic, routine sharing or exceptional, 
ad hoc requests) are not covered in enough detail in the 2011 code? 


Our organisation is a health policy think tank interested in how biomedical 
innovations can facilitate more personalised healthcare. An example of our work on 
technologies is a new report on the personalised medicine technology landscape 
[http ://www.phgfoundation.org/report/personalised-medicine-technolo 

landscape] We focus partly on the routine sharing of data to support health care (for 
example the sharing of genetic data between health professionals and laboratories 
to support safe, effective care) see 

http ://www.phgfoundation.org/documents/report_data_sharing support clinical _ge 
netic services.pdf We would like to see more emphasis placed on the importance of 
routine sharing of data within the NHS to support high quality clinical care. However 
we are also interested in evolving uses of health care by citizens, especially when it 
is passed through a device, app or third party provider to health services. These 
complex data flows are likely to be integrated into health care within the next five 
years, and the code should look ahead to some of the uses that are on the horizon. 


Is the 2011 code relevant to the types of data sharing your organisation is 
involved in? If not, which additional areas should we cover? 


We strongly urge that the code should include guidance on the use of automated 
decision-making. Although our organisation does not utilise automated processing, 
we do research on this topic. Automated decision making is becoming key in many 
sectors and is likely to become ubiquitous in the future. 


The GDPR also strengthens the exemptions for research. This is another area that 
could be included more fully in the revised guidance. 


10. Please provide details of any case studies or data sharing scenarios that you 
would like to see included in the updated code? 


We suggest that the code should include a case study on automated processing: it 
should highlight practical but potentially problematic aspects in interpreting the 
GDPR. This might include what constitutes a legal effect or something significant 
(Article 22), and the sufficiency of an explanation provided to data subjects (Articles 
22 and Articles 13-15). 


Other useful case studies might look at the legal basis of anonymisation to take data 
outside the scope of the Regulation. In the health context, this is an area which is 
causing considerable uncertainty. 


The GDPR includes extensive provision for research. The interface between health 
care and health research (and the need to shift from one legal basis to another) is 
something that could benefit from further examination and exploration. 


11. Is there anything the 2011 code does not cover that you think it should? 
Please provide details. 


We have included details in answer to the questions above. It may be that these 
aspects could be better covered in a code that is sector specific, to enable these 
issues to be dealt with in sufficient detail. 


12. In what other ways do you think the 2011 code could be improved? 


We suggest that the code might benefit from being restructured so that the practical 
aspects of data sharing (such as the questions that are raised on page 14-15) are 
given prominence earlier in the document. Hyperlinks between these practical 
questions and relevant sections and case studies within the code would also assist 
the lay reader to navigate around the document. This would improve the 
accessibility of the document for readers who might otherwise be put off by the legal 
context provided in the first few chapters. 


Please do contact us should you require further information about what we 
have submitted or require additional clarification. 


The PHG Foundation is a pioneering independent think-tank with a special focus on genomics and other 
emerging health technologies that can provide more accurate and effective personalised medicine. 


Established in 1997, we are now part of the University of Cambridge 


Our mission is to make science work for health 


